Wednesday, August 9, 2017

Managing Azure Subscriptions and Access Rights

What is Azure Subscription
A Windows Azure subscription grants you access to Windows Azure services and to the Windows Azure Platform Management Portal. It’s also called as an active agreement with Microsoft which is needed to provision resources in Microsoft Azure. 
A Windows Azure subscription has two aspects:
  • The Windows Azure account, through which resource usage is reported and services are billed.
  • The subscription itself, which governs access to and use of the Windows Azure services that are subscribed to. The subscription holder manages services (Windows Azure , SQL Azure, Storage etc)  through the Windows Azure Platform Management Portal
Azure subscription are managed using admin accounts . there are three types of admin accounts


Administrative role Limit Description
Account Administrator (AA) 1 per Azure account This is the person who signed up for or bought Azure subscriptions, and is authorized to access the Account Center and perform various management tasks. These include being able to create subscriptions, cancel subscriptions, change the billing for a subscription, and change the Service Administrator.
Service Administrator (SA) 1 per Azure subscription This role is authorized to manage services in the Azure portal. By default, for a new subscription, the Account Administrator is also the Service Administrator.
Co-administrator (CA) in the Azure classic portal 200 per subscription This role has the same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories.

Each Azure subscription is associated with one Azure Active Directory (AD) directory. Users, groups, and applications from that directory can manage resources in the Azure subscription. Assigning of  these access rights are done through Azure portal, Azure command-line tools, and Azure Management APIs.
This document emphasizes on managing rights through Azure Portal.

Resource hierarchy and access inheritance
·         Each subscription in Azure belongs to only one directory. (But each directory can have more than one subscription.)
·         Each resource group belongs to only one subscription.
·         Each resource belongs to only one resource group.


To  find the Default Directory the subscription is associated with, go to the Azure classic portal, select Settings > Subscriptions.



To view Azure billing information and manage subscriptions, you must sign in to the Account Center as the Account Administrator.

Click on the “ACCOUNT CENTER” to manage subscription 



Click on the “add subscription” to create new subscription 



Click on the  appropriate subscription type to create one.



Azure RBAC has three basic roles that apply to all resource types:
·         Owner has full access to all resources including the right to delegate access to others.
·         Contributor can create and manage all types of Azure resources but can’t grant access to others.
·         Reader can view existing Azure resources.

The rest of the RBAC roles in Azure allow management of specific Azure resources. For example, the Virtual Machine Contributor role allows the user to create and manage virtual machines. It does not give them access to the virtual network or the subnet that the virtual machine connects to. A full list of roles can be found here https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles

If required we can also build custom roles as described here  https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles

Access Rights are granted by assigning the appropriate RBAC (Resource Based Access Control) role to users, groups, and applications at a certain scope. The scope of a role assignment can be a subscription, a resource group, or a single resource. A role assigned at a parent scope also grants access to the children contained within it. For example, a user with access to a resource group can manage all the resources it contains, like websites, virtual machines, and subnets.

Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can grant only the amount of access that users need to perform their jobs. Within each subscription, you can grant up to 2000 role assignments.

Managing Access Aright through Subscriptions
  •        Go to Azure Portal
  •        Select Subscription in the navigation bar on the left.
  •        Select the name of the Subscription from the Subscription blade
  •        Select Access control (IAM) from the left menu.
  •        The Access control blade lists all users, groups, and applications that have been granted access to the Subscription.
  •        Note: Some roles are scoped to This resource while others are Inherited it from another scope. Access is either assigned specifically to the resource group or inherited from an assignment to the parent subscription.
  •        Select Add on the Access control blade.
  •        Select the role that you wish to assign from the Select a role blade.
  •        Select the user, group, or application in your directory that you wish to grant access to. You can search the directory with display names, email addresses, and object identifiers.
  •  
To Remove Access right
  •        Hover your cursor over the name of the assignment that you want to remove. A check box appears next to the name.
  •        Use the check boxes to select one or more role assignments.
  •        Select Remove.
  •        Select Yes to confirm the removal.
  •        Note : Inherited assignments cannot be removed. If you need to remove an inherited assignment, you need to do it at the scope where the role assignment was created.  In the Scope column, next to Inherited there is a link that takes you to the resources where this role was assigned. Go to the resource listed there to remove the role assignment.



Managing Access Aright through Resource Group

  •          Go to Azure Portal
  •          Select Resource groups in the navigation bar on the left.
  •          Select the name of the resource group from the Resource groups blade
  •          Select Access control (IAM) from the left menu.
  •          The Access control blade lists all users, groups, and applications that have been granted access to the resource group.
  •          Note: Some roles are scoped to This resource while others are Inherited it from another scope. Access is either assigned specifically to the resource group or inherited from an assignment to the parent subscription.
  •        Select Add on the Access control blade.
  •        Select the role that you wish to assign from the Select a role blade.
  •        Select the user, group, or application in your directory that you wish to grant access to. You can search the directory with display names, email addresses, and object identifiers.
a


To Remove Access right
  •        Hover your cursor over the name of the assignment that you want to remove. A check box appears next to the name.
  •        Use the check boxes to select one or more role assignments.
  •        Select Remove.
  •        Select Yes to confirm the removal.
  •        Note : Inherited assignments cannot be removed. If you need to remove an inherited assignment, you need to do it at the scope where the role assignment was created.  In the Scope column, next to Inherited there is a link that takes you to the resources where this role was assigned. Go to the resource listed there to remove the role assignment.



Posted by at 1 comment:
Labels:
Subscribe to: Posts (Atom)